AESOP: Adversarial Execution-path Selection to Overload Deep Learning Pipelines

TL;DR

AESOP demonstrates a novel adversarial method targeting dynamic ML inference pipelines, significantly inflating computational costs and latency by exploiting path selection vulnerabilities under various defenses.

Contribution

The paper introduces AESOP, a new framework for adversarial path selection in ML pipelines, revealing a substantial efficiency attack surface not addressed by existing methods.

Findings

AESOP inflates FLOPs by up to 2,407× in white-box settings.

AESOP causes up to 419× latency increase and redirects attacks under defenses.

The attack can force pipelines into throughput collapse or high data loss.

Abstract

Modern machine learning deployments increasingly compose specialized models into dynamic inference pipelines, where upstream components produce intermediate predictions that determine the workload and inputs of downstream components. The cost of processing an input is therefore not determined by any single model, but by two coupled factors: the per-inference cost of each invoked component and its workload volume. Because these pipelines run under hard real-time constraints, efficiency is a fundamental requirement for system availability. We show that this structure creates an efficiency-attack surface that existing methods targeting single models cannot exploit: on identical inputs and budgets, path-aware targeting inflates FLOPs by $2,407\times$ while the strongest single-model baseline achieves $117\times$ -- a $20\times$ gap attributable entirely to where the attack is directed. We formalize this as the adversarial path-selection problem and present AESOP, a framework combining vulnerability-guided path ranking with adaptive loss weighting. We evaluate AESOP on five pipelines plus a production-realistic deployment variant with batching, bounded buffering, and confidence-threshold defenses. AESOP achieves up to $2,407\times$ FLOPs and $419\times$ latency inflation in white-box setting and 58$\times$ FLOPs / 17$\times$ latency in gray-box settings. Under system-level defenses, the attack is not neutralized but redirected: pipelines are forced to choose between throughput collapse ($0.578 \to 0.006$ input/s) and $96.7\%$ data loss to sustain throughput.